diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-09-12 08:14:37 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-09-12 08:14:37 +0000 |
commit | 7d648ac22d941d0c7efdd987315ae0ddf9932ba0 (patch) | |
tree | 51a3e8126722c5a52a9a1e7e40b4eeaf4610db0b /nixpkgs/pkgs/test | |
parent | aa4353b499e6950b7333578f936455a628145c31 (diff) | |
parent | db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b (diff) | |
download | nixlib-7d648ac22d941d0c7efdd987315ae0ddf9932ba0.tar nixlib-7d648ac22d941d0c7efdd987315ae0ddf9932ba0.tar.gz nixlib-7d648ac22d941d0c7efdd987315ae0ddf9932ba0.tar.bz2 nixlib-7d648ac22d941d0c7efdd987315ae0ddf9932ba0.tar.lz nixlib-7d648ac22d941d0c7efdd987315ae0ddf9932ba0.tar.xz nixlib-7d648ac22d941d0c7efdd987315ae0ddf9932ba0.tar.zst nixlib-7d648ac22d941d0c7efdd987315ae0ddf9932ba0.zip |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/pkgs/test')
-rw-r--r-- | nixpkgs/pkgs/test/cc-wrapper/default.nix | 26 | ||||
-rw-r--r-- | nixpkgs/pkgs/test/cc-wrapper/fortify1-example.c | 16 | ||||
-rw-r--r-- | nixpkgs/pkgs/test/cc-wrapper/fortify2-example.c | 16 | ||||
-rw-r--r-- | nixpkgs/pkgs/test/cc-wrapper/fortify3-example.c | 13 | ||||
-rw-r--r-- | nixpkgs/pkgs/test/cc-wrapper/hardening.nix | 396 | ||||
-rw-r--r-- | nixpkgs/pkgs/test/default.nix | 103 | ||||
-rw-r--r-- | nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md | 3 | ||||
-rw-r--r-- | nixpkgs/pkgs/test/texlive/default.nix | 2 |
8 files changed, 545 insertions, 30 deletions
diff --git a/nixpkgs/pkgs/test/cc-wrapper/default.nix b/nixpkgs/pkgs/test/cc-wrapper/default.nix index 43e8e7a21426..8809030989e6 100644 --- a/nixpkgs/pkgs/test/cc-wrapper/default.nix +++ b/nixpkgs/pkgs/test/cc-wrapper/default.nix @@ -9,25 +9,29 @@ let ); staticLibc = lib.optionalString (stdenv.hostPlatform.libc == "glibc") "-L ${glibc.static}/lib"; emulator = stdenv.hostPlatform.emulator buildPackages; + libcxxStdenvSuffix = lib.optionalString (stdenv.cc.libcxx != null) "-libcxx"; in stdenv.mkDerivation { - name = "cc-wrapper-test"; + pname = "cc-wrapper-test-${stdenv.cc.cc.pname}${libcxxStdenvSuffix}"; + version = stdenv.cc.version; buildCommand = '' + echo "Testing: ${stdenv.cc.name}" >&2 + echo "With libc: ${stdenv.cc.libc.name}" >&2 set -o pipefail NIX_DEBUG=1 $CC -v NIX_DEBUG=1 $CXX -v - printf "checking whether compiler builds valid C binaries... " >&2 + echo "checking whether compiler builds valid C binaries... " >&2 $CC -o cc-check ${./cc-main.c} ${emulator} ./cc-check - printf "checking whether compiler builds valid C++ binaries... " >&2 + echo "checking whether compiler builds valid C++ binaries... " >&2 $CXX -o cxx-check ${./cxx-main.cc} ${emulator} ./cxx-check ${lib.optionalString (stdenv.isDarwin && stdenv.cc.isClang) '' - printf "checking whether compiler can build with CoreFoundation.framework... " >&2 + echo "checking whether compiler can build with CoreFoundation.framework... " >&2 mkdir -p foo/lib $CC -framework CoreFoundation -o core-foundation-check ${./core-foundation-main.c} ${emulator} ./core-foundation-check @@ -35,11 +39,11 @@ in stdenv.mkDerivation { ${lib.optionalString (!stdenv.isDarwin) '' - printf "checking whether compiler builds valid static C binaries... " >&2 + echo "checking whether compiler builds valid static C binaries... " >&2 $CC ${staticLibc} -static -o cc-static ${./cc-main.c} ${emulator} ./cc-static ${lib.optionalString (stdenv.cc.isGNU && lib.versionAtLeast (lib.getVersion stdenv.cc.name) "8.0.0") '' - printf "checking whether compiler builds valid static pie C binaries... " >&2 + echo "checking whether compiler builds valid static pie C binaries... " >&2 $CC ${staticLibc} -static-pie -o cc-static-pie ${./cc-main.c} ${emulator} ./cc-static-pie ''} @@ -48,7 +52,7 @@ in stdenv.mkDerivation { ${# See: https://github.com/llvm/llvm-project/commit/ed1d07282cc9d8e4c25d585e03e5c8a1b6f63a74 # `gcc` does not support this so we gate the test on `clang` lib.optionalString stdenv.cc.isClang '' - printf "checking whether cc-wrapper accepts -- followed by positional (file) args..." >&2 + echo "checking whether cc-wrapper accepts -- followed by positional (file) args..." >&2 mkdir -p positional # Make sure `--` is not parsed as a "non flag arg"; we should get an @@ -66,13 +70,13 @@ in stdenv.mkDerivation { ${emulator} ./positional/main ''} - printf "checking whether compiler uses NIX_CFLAGS_COMPILE... " >&2 + echo "checking whether compiler uses NIX_CFLAGS_COMPILE... " >&2 mkdir -p foo/include cp ${./foo.c} foo/include/foo.h NIX_CFLAGS_COMPILE="-Ifoo/include -DVALUE=42" $CC -o cflags-check ${./cflags-main.c} ${emulator} ./cflags-check - printf "checking whether compiler uses NIX_LDFLAGS... " >&2 + echo "checking whether compiler uses NIX_LDFLAGS... " >&2 mkdir -p foo/lib $CC -shared \ ${lib.optionalString stdenv.isDarwin "-Wl,-install_name,@rpath/libfoo.dylib"} \ @@ -83,7 +87,7 @@ in stdenv.mkDerivation { NIX_LDFLAGS="-L$NIX_BUILD_TOP/foo/lib -rpath $NIX_BUILD_TOP/foo/lib" $CC -lfoo -o ldflags-check ${./ldflags-main.c} ${emulator} ./ldflags-check - printf "Check whether -nostdinc and -nostdinc++ is handled correctly" >&2 + echo "Check whether -nostdinc and -nostdinc++ is handled correctly" >&2 mkdir -p std-include cp ${./stdio.h} std-include/stdio.h NIX_DEBUG=1 $CC -I std-include -nostdinc -o nostdinc-main ${./nostdinc-main.c} @@ -92,7 +96,7 @@ in stdenv.mkDerivation { ${emulator} ./nostdinc-main++ ${lib.optionalString sanitizersWorking '' - printf "checking whether sanitizers are fully functional... ">&2 + echo "checking whether sanitizers are fully functional... ">&2 $CC -o sanitizers -fsanitize=address,undefined ${./sanitizers.c} ASAN_OPTIONS=use_sigaltstack=0 ${emulator} ./sanitizers ''} diff --git a/nixpkgs/pkgs/test/cc-wrapper/fortify1-example.c b/nixpkgs/pkgs/test/cc-wrapper/fortify1-example.c new file mode 100644 index 000000000000..48b9c268e728 --- /dev/null +++ b/nixpkgs/pkgs/test/cc-wrapper/fortify1-example.c @@ -0,0 +1,16 @@ +/* an example that should be protected by FORTIFY_SOURCE=1 */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + + +int main(int argc, char *argv[]) { + /* allocate on the heap so we're likely to get an + * over-allocation and can be more sure that a + * failure is because of fortify protection rather + * than a genuine segfault */ + char* buffer = malloc(sizeof(char) * 7); + strcpy(buffer, argv[1]); + puts(buffer); + return 0; +} diff --git a/nixpkgs/pkgs/test/cc-wrapper/fortify2-example.c b/nixpkgs/pkgs/test/cc-wrapper/fortify2-example.c new file mode 100644 index 000000000000..dfb5a8e87294 --- /dev/null +++ b/nixpkgs/pkgs/test/cc-wrapper/fortify2-example.c @@ -0,0 +1,16 @@ +/* an example that should be protected by FORTIFY_SOURCE=2 but + * not FORTIFY_SOURCE=1 */ +#include <stdio.h> +#include <string.h> + +struct buffer_with_pad { + char buffer[7]; + char pad[25]; +}; + +int main(int argc, char *argv[]) { + struct buffer_with_pad b; + strcpy(b.buffer, argv[1]); + puts(b.buffer); + return 0; +} diff --git a/nixpkgs/pkgs/test/cc-wrapper/fortify3-example.c b/nixpkgs/pkgs/test/cc-wrapper/fortify3-example.c new file mode 100644 index 000000000000..9a0a5f4792c3 --- /dev/null +++ b/nixpkgs/pkgs/test/cc-wrapper/fortify3-example.c @@ -0,0 +1,13 @@ +/* an example that should be protected by FORTIFY_SOURCE=3 but + * not FORTIFY_SOURCE=2 */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + + +int main(int argc, char *argv[]) { + char* buffer = malloc(atoi(argv[2])); + strcpy(buffer, argv[1]); + puts(buffer); + return 0; +} diff --git a/nixpkgs/pkgs/test/cc-wrapper/hardening.nix b/nixpkgs/pkgs/test/cc-wrapper/hardening.nix new file mode 100644 index 000000000000..41ddaefdfea8 --- /dev/null +++ b/nixpkgs/pkgs/test/cc-wrapper/hardening.nix @@ -0,0 +1,396 @@ +{ lib +, stdenv +, runCommand +, runCommandWith +, runCommandCC +, debian-devscripts +}: + +let + # writeCBin from trivial-builders won't let us choose + # our own stdenv + writeCBinWithStdenv = codePath: stdenv': env: runCommandWith { + name = "test-bin"; + stdenv = stdenv'; + derivationArgs = { + inherit codePath; + preferLocalBuild = true; + allowSubstitutes = false; + } // env; + } '' + [ -n "$preBuild" ] && eval "$preBuild" + n=$out/bin/test-bin + mkdir -p "$(dirname "$n")" + cp "$codePath" code.c + NIX_DEBUG=1 $CC -x c code.c -O1 $TEST_EXTRA_FLAGS -o "$n" + ''; + + f1exampleWithStdEnv = writeCBinWithStdenv ./fortify1-example.c; + f2exampleWithStdEnv = writeCBinWithStdenv ./fortify2-example.c; + f3exampleWithStdEnv = writeCBinWithStdenv ./fortify3-example.c; + + stdenvUnsupport = additionalUnsupported: stdenv.override { + cc = stdenv.cc.override { + cc = (lib.extendDerivation true { + hardeningUnsupportedFlags = (stdenv.cc.cc.hardeningUnsupportedFlags or []) ++ additionalUnsupported; + } stdenv.cc.cc); + }; + allowedRequisites = null; + }; + + checkTestBin = testBin: { + # can only test flags that are detectable by hardening-check + ignoreBindNow ? true, + ignoreFortify ? true, + ignorePie ? true, + ignoreRelRO ? true, + ignoreStackProtector ? true, + expectFailure ? false, + }: let + expectFailureClause = lib.optionalString expectFailure + " && echo 'ERROR: Expected hardening-check to fail, but it passed!' >&2 && exit 1"; + in runCommandCC "check-test-bin" { + nativeBuildInputs = [ debian-devscripts ]; + buildInputs = [ testBin ]; + meta.platforms = lib.platforms.linux; # ELF-reliant + } '' + hardening-check --nocfprotection \ + ${lib.optionalString ignoreBindNow "--nobindnow"} \ + ${lib.optionalString ignoreFortify "--nofortify"} \ + ${lib.optionalString ignorePie "--nopie"} \ + ${lib.optionalString ignoreRelRO "--norelro"} \ + ${lib.optionalString ignoreStackProtector "--nostackprotector"} \ + $(PATH=$HOST_PATH type -P test-bin) ${expectFailureClause} + touch $out + ''; + + nameDrvAfterAttrName = builtins.mapAttrs (name: drv: + drv.overrideAttrs (_: { name = "test-${name}"; }) + ); + + # returning a specific exit code when aborting due to a fortify + # check isn't mandated. so it's better to just ensure that a + # nonzero exit code is returned when we go a single byte beyond + # the buffer, with the example programs being designed to be + # unlikely to genuinely segfault for such a small overflow. + fortifyExecTest = testBin: runCommand "exec-test" { + buildInputs = [ + testBin + ]; + meta.broken = !(stdenv.buildPlatform.canExecute stdenv.hostPlatform); + } '' + ( + export PATH=$HOST_PATH + echo "Saturated buffer:" # check program isn't completly broken + test-bin 012345 7 + echo "One byte too far:" # eighth byte being the null terminator + (! test-bin 0123456 7) || (echo 'Expected failure, but succeeded!' && exit 1) + ) + echo "Expected behaviour observed" + touch $out + ''; + + brokenIf = cond: drv: if cond then drv.overrideAttrs (old: { meta = old.meta or {} // { broken = true; }; }) else drv; + +in nameDrvAfterAttrName ({ + bindNowExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "bindnow" ]; + }) { + ignoreBindNow = false; + }); + + # musl implementation undetectable by this means even if present + fortifyExplicitEnabled = brokenIf stdenv.hostPlatform.isMusl (checkTestBin (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify" ]; + }) { + ignoreFortify = false; + }); + + fortify1ExplicitEnabledExecTest = fortifyExecTest (f1exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify" ]; + }); + + # musl implementation is effectively FORTIFY_SOURCE=1-only, + # clang-on-glibc also only appears to support FORTIFY_SOURCE=1 (!) + fortifyExplicitEnabledExecTest = brokenIf ( + stdenv.hostPlatform.isMusl || (stdenv.cc.isClang && stdenv.hostPlatform.libc == "glibc") + ) (fortifyExecTest (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify" ]; + })); + + fortify3ExplicitEnabled = brokenIf ( + stdenv.hostPlatform.isMusl || !stdenv.cc.isGNU || lib.versionOlder stdenv.cc.version "12" + ) (checkTestBin (f3exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify3" ]; + }) { + ignoreFortify = false; + }); + + # musl implementation is effectively FORTIFY_SOURCE=1-only + fortify3ExplicitEnabledExecTest = brokenIf ( + stdenv.hostPlatform.isMusl || !stdenv.cc.isGNU || lib.versionOlder stdenv.cc.version "12" + ) (fortifyExecTest (f3exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify3" ]; + })); + + pieExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "pie" ]; + }) { + ignorePie = false; + }); + + relROExplicitEnabled = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "relro" ]; + }) { + ignoreRelRO = false; + }; + + stackProtectorExplicitEnabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "stackprotector" ]; + }) { + ignoreStackProtector = false; + }); + + bindNowExplicitDisabled = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "bindnow" ]; + }) { + ignoreBindNow = false; + expectFailure = true; + }; + + fortifyExplicitDisabled = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "fortify" ]; + }) { + ignoreFortify = false; + expectFailure = true; + }; + + fortify3ExplicitDisabled = checkTestBin (f3exampleWithStdEnv stdenv { + hardeningDisable = [ "fortify3" ]; + }) { + ignoreFortify = false; + expectFailure = true; + }; + + fortifyExplicitDisabledDisablesFortify3 = checkTestBin (f3exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify3" ]; + hardeningDisable = [ "fortify" ]; + }) { + ignoreFortify = false; + expectFailure = true; + }; + + fortify3ExplicitDisabledDoesntDisableFortify = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify" ]; + hardeningDisable = [ "fortify3" ]; + }) { + ignoreFortify = false; + }; + + pieExplicitDisabled = brokenIf ( + stdenv.hostPlatform.isMusl && stdenv.cc.isClang + ) (checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "pie" ]; + }) { + ignorePie = false; + expectFailure = true; + }); + + # can't force-disable ("partial"?) relro + relROExplicitDisabled = brokenIf true (checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "pie" ]; + }) { + ignoreRelRO = false; + expectFailure = true; + }); + + stackProtectorExplicitDisabled = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "stackprotector" ]; + }) { + ignoreStackProtector = false; + expectFailure = true; + }; + + # most flags can't be "unsupported" by compiler alone and + # binutils doesn't have an accessible hardeningUnsupportedFlags + # mechanism, so can only test a couple of flags through altered + # stdenv trickery + + fortifyStdenvUnsupp = checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["fortify"]) { + hardeningEnable = [ "fortify" ]; + }) { + ignoreFortify = false; + expectFailure = true; + }; + + fortify3StdenvUnsupp = checkTestBin (f3exampleWithStdEnv (stdenvUnsupport ["fortify3"]) { + hardeningEnable = [ "fortify3" ]; + }) { + ignoreFortify = false; + expectFailure = true; + }; + + fortifyStdenvUnsuppUnsupportsFortify3 = checkTestBin (f3exampleWithStdEnv (stdenvUnsupport ["fortify"]) { + hardeningEnable = [ "fortify3" ]; + }) { + ignoreFortify = false; + expectFailure = true; + }; + + fortify3StdenvUnsuppDoesntUnsuppFortify = brokenIf stdenv.hostPlatform.isMusl (checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["fortify3"]) { + hardeningEnable = [ "fortify" ]; + }) { + ignoreFortify = false; + }); + + fortify3StdenvUnsuppDoesntUnsuppFortifyExecTest = fortifyExecTest (f2exampleWithStdEnv (stdenvUnsupport ["fortify3"]) { + hardeningEnable = [ "fortify" ]; + }); + + stackProtectorStdenvUnsupp = checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["stackprotector"]) { + hardeningEnable = [ "stackprotector" ]; + }) { + ignoreStackProtector = false; + expectFailure = true; + }; + + # NIX_HARDENING_ENABLE set in the shell overrides hardeningDisable + # and hardeningEnable + + stackProtectorReenabledEnv = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "stackprotector" ]; + preBuild = '' + export NIX_HARDENING_ENABLE="stackprotector" + ''; + }) { + ignoreStackProtector = false; + }; + + stackProtectorReenabledFromAllEnv = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "all" ]; + preBuild = '' + export NIX_HARDENING_ENABLE="stackprotector" + ''; + }) { + ignoreStackProtector = false; + }; + + stackProtectorRedisabledEnv = checkTestBin (f2exampleWithStdEnv stdenv { + hardeningEnable = [ "stackprotector" ]; + preBuild = '' + export NIX_HARDENING_ENABLE="" + ''; + }) { + ignoreStackProtector = false; + expectFailure = true; + }; + + fortify3EnabledEnvEnablesFortify = brokenIf stdenv.hostPlatform.isMusl (checkTestBin (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "fortify" "fortify3" ]; + preBuild = '' + export NIX_HARDENING_ENABLE="fortify3" + ''; + }) { + ignoreFortify = false; + }); + + fortify3EnabledEnvEnablesFortifyExecTest = fortifyExecTest (f2exampleWithStdEnv stdenv { + hardeningDisable = [ "fortify" "fortify3" ]; + preBuild = '' + export NIX_HARDENING_ENABLE="fortify3" + ''; + }); + + fortifyEnabledEnvDoesntEnableFortify3 = checkTestBin (f3exampleWithStdEnv stdenv { + hardeningDisable = [ "fortify" "fortify3" ]; + preBuild = '' + export NIX_HARDENING_ENABLE="fortify" + ''; + }) { + ignoreFortify = false; + expectFailure = true; + }; + + # NIX_HARDENING_ENABLE can't enable an unsupported feature + + stackProtectorUnsupportedEnabledEnv = checkTestBin (f2exampleWithStdEnv (stdenvUnsupport ["stackprotector"]) { + preBuild = '' + export NIX_HARDENING_ENABLE="stackprotector" + ''; + }) { + ignoreStackProtector = false; + expectFailure = true; + }; + + # undetectable by this means on static even if present + fortify1ExplicitEnabledCmdlineDisabled = brokenIf stdenv.hostPlatform.isStatic (checkTestBin (f1exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify" ]; + preBuild = '' + export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=0' + ''; + }) { + ignoreFortify = false; + expectFailure = true; + }); + + # musl implementation undetectable by this means even if present + fortify1ExplicitDisabledCmdlineEnabled = brokenIf ( + stdenv.hostPlatform.isMusl || stdenv.hostPlatform.isStatic + ) (checkTestBin (f1exampleWithStdEnv stdenv { + hardeningDisable = [ "fortify" ]; + preBuild = '' + export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=1' + ''; + }) { + ignoreFortify = false; + }); + + fortify1ExplicitDisabledCmdlineEnabledExecTest = fortifyExecTest (f1exampleWithStdEnv stdenv { + hardeningDisable = [ "fortify" ]; + preBuild = '' + export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=1' + ''; + }); + + fortify1ExplicitEnabledCmdlineDisabledNoWarn = f1exampleWithStdEnv stdenv { + hardeningEnable = [ "fortify" ]; + preBuild = '' + export TEST_EXTRA_FLAGS='-D_FORTIFY_SOURCE=0 -Werror' + ''; + }; + +} // (let + tb = f2exampleWithStdEnv stdenv { + hardeningDisable = [ "all" ]; + hardeningEnable = [ "fortify" "pie" ]; + }; +in { + + allExplicitDisabledBindNow = checkTestBin tb { + ignoreBindNow = false; + expectFailure = true; + }; + + allExplicitDisabledFortify = checkTestBin tb { + ignoreFortify = false; + expectFailure = true; + }; + + allExplicitDisabledPie = brokenIf ( + stdenv.hostPlatform.isMusl && stdenv.cc.isClang + ) (checkTestBin tb { + ignorePie = false; + expectFailure = true; + }); + + # can't force-disable ("partial"?) relro + allExplicitDisabledRelRO = brokenIf true (checkTestBin tb { + ignoreRelRO = false; + expectFailure = true; + }); + + allExplicitDisabledStackProtector = checkTestBin tb { + ignoreStackProtector = false; + expectFailure = true; + }; +})) diff --git a/nixpkgs/pkgs/test/default.nix b/nixpkgs/pkgs/test/default.nix index d6fd75359fc4..b914ec26ae00 100644 --- a/nixpkgs/pkgs/test/default.nix +++ b/nixpkgs/pkgs/test/default.nix @@ -3,26 +3,95 @@ with pkgs; { - cc-wrapper = callPackage ./cc-wrapper { }; - cc-wrapper-gcc = callPackage ./cc-wrapper { stdenv = gccStdenv; }; - cc-wrapper-gcc7 = callPackage ./cc-wrapper { stdenv = gcc7Stdenv; }; - cc-wrapper-gcc8 = callPackage ./cc-wrapper { stdenv = gcc8Stdenv; }; - cc-wrapper-gcc9 = callPackage ./cc-wrapper { stdenv = gcc9Stdenv; }; - cc-wrapper-clang = callPackage ./cc-wrapper { stdenv = llvmPackages.stdenv; }; - cc-wrapper-libcxx = callPackage ./cc-wrapper { stdenv = llvmPackages.libcxxStdenv; }; - cc-wrapper-clang-5 = callPackage ./cc-wrapper { stdenv = llvmPackages_5.stdenv; }; - cc-wrapper-libcxx-5 = callPackage ./cc-wrapper { stdenv = llvmPackages_5.libcxxStdenv; }; - cc-wrapper-clang-6 = callPackage ./cc-wrapper { stdenv = llvmPackages_6.stdenv; }; - cc-wrapper-libcxx-6 = callPackage ./cc-wrapper { stdenv = llvmPackages_6.libcxxStdenv; }; - cc-wrapper-clang-7 = callPackage ./cc-wrapper { stdenv = llvmPackages_7.stdenv; }; - cc-wrapper-libcxx-7 = callPackage ./cc-wrapper { stdenv = llvmPackages_7.libcxxStdenv; }; - cc-wrapper-clang-8 = callPackage ./cc-wrapper { stdenv = llvmPackages_8.stdenv; }; - cc-wrapper-libcxx-8 = callPackage ./cc-wrapper { stdenv = llvmPackages_8.libcxxStdenv; }; - cc-wrapper-clang-9 = callPackage ./cc-wrapper { stdenv = llvmPackages_9.stdenv; }; - cc-wrapper-libcxx-9 = callPackage ./cc-wrapper { stdenv = llvmPackages_9.libcxxStdenv; }; + cc-wrapper = with builtins; let + pkgNames = (attrNames pkgs); + llvmTests = let + pkgSets = lib.pipe pkgNames [ + (filter (lib.hasPrefix "llvmPackages")) + (filter (n: n != "llvmPackages_rocm")) + (filter (n: n != "llvmPackages_latest")) + (filter (n: n != "llvmPackages_git")) + ]; + tests = lib.genAttrs pkgSets (name: recurseIntoAttrs { + clang = callPackage ./cc-wrapper { stdenv = pkgs.${name}.stdenv; }; + libcxx = callPackage ./cc-wrapper { stdenv = pkgs.${name}.libcxxStdenv; }; + }); + in + tests; + gccTests = let + pkgSets = lib.pipe (attrNames pkgs) ([ + (filter (lib.hasPrefix "gcc")) + (filter (lib.hasSuffix "Stdenv")) + (filter (n: n != "gccCrossLibcStdenv")) + ] ++ lib.optionals (!( + (stdenv.buildPlatform.isLinux && stdenv.buildPlatform.isx86_64) && + (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64) + )) [ + (filter (n: !lib.hasSuffix "MultiStdenv" n)) + ]); + in lib.genAttrs pkgSets (name: callPackage ./cc-wrapper { stdenv = pkgs.${name}; }); + in recurseIntoAttrs { + default = callPackage ./cc-wrapper { }; + + supported = stdenv.mkDerivation { + name = "cc-wrapper-supported"; + builtGCC = + let + names = lib.pipe (attrNames gccTests) ([ + (filter (n: lib.meta.availableOn stdenv.hostPlatform pkgs.${n}.cc)) + # Broken + (filter (n: n != "gcc49Stdenv")) + (filter (n: n != "gccMultiStdenv")) + ] ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [ + # fails with things like + # ld: warning: ld: warning: object file (trunctfsf2_s.o) was built for newer macOS version (11.0) than being linked (10.5) + # ld: warning: ld: warning: could not create compact unwind for ___fixunstfdi: register 20 saved somewhere other than in frame + (filter (n: n != "gcc11Stdenv")) + ]); + in + toJSON (lib.genAttrs names (name: { name = pkgs.${name}; })); + + builtLLVM = + let + names = lib.pipe (attrNames llvmTests) ([ + (filter (n: lib.meta.availableOn stdenv.hostPlatform pkgs.${n}.stdenv.cc)) + (filter (n: lib.meta.availableOn stdenv.hostPlatform pkgs.${n}.libcxxStdenv.cc)) + + # libcxxStdenv broken + # fix in https://github.com/NixOS/nixpkgs/pull/216273 + ] ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isAarch64) [ + # libcxx does not build for some reason on aarch64-linux + (filter (n: n != "llvmPackages_7")) + ] ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [ + (filter (n: n != "llvmPackages_5")) + (filter (n: n != "llvmPackages_6")) + (filter (n: n != "llvmPackages_7")) + (filter (n: n != "llvmPackages_8")) + (filter (n: n != "llvmPackages_9")) + (filter (n: n != "llvmPackages_10")) + ]); + in + toJSON (lib.genAttrs names (name: { stdenv = pkgs.${name}.stdenv; libcxx = pkgs.${name}.libcxxStdenv; })); + buildCommand = '' + touch $out + ''; + }; + + llvmTests = recurseIntoAttrs llvmTests; + inherit gccTests; + }; + stdenv-inputs = callPackage ./stdenv-inputs { }; stdenv = callPackage ./stdenv { }; + hardeningFlags = recurseIntoAttrs (callPackage ./cc-wrapper/hardening.nix {}); + hardeningFlags-gcc = recurseIntoAttrs (callPackage ./cc-wrapper/hardening.nix { + stdenv = gccStdenv; + }); + hardeningFlags-clang = recurseIntoAttrs (callPackage ./cc-wrapper/hardening.nix { + stdenv = llvmPackages.stdenv; + }); + config = callPackage ./config.nix { }; haskell = callPackage ./haskell { }; diff --git a/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md b/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md index 754d0a2090df..4dd694acd2f0 100644 --- a/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md +++ b/nixpkgs/pkgs/test/nixpkgs-check-by-name/README.md @@ -1,11 +1,12 @@ # Nixpkgs pkgs/by-name checker This directory implements a program to check the [validity](#validity-checks) of the `pkgs/by-name` Nixpkgs directory once introduced. +It is being used by [this GitHub Actions workflow](../../../.github/workflows/check-by-name.yml). This is part of the implementation of [RFC 140](https://github.com/NixOS/rfcs/pull/140). ## API -This API may be changed over time if the CI making use of it is adjusted to deal with the change appropriately, see [Hydra builds](#hydra-builds). +This API may be changed over time if the CI workflow making use of it is adjusted to deal with the change appropriately. - Command line: `nixpkgs-check-by-name <NIXPKGS>` - Arguments: diff --git a/nixpkgs/pkgs/test/texlive/default.nix b/nixpkgs/pkgs/test/texlive/default.nix index e2c714100f90..12c42444f183 100644 --- a/nixpkgs/pkgs/test/texlive/default.nix +++ b/nixpkgs/pkgs/test/texlive/default.nix @@ -373,7 +373,7 @@ rec { # (1) binaries requiring --help or -h help = [ "arlatex" "bundledoc" "cachepic" "checklistings" "dvipos" "extractres" "fig4latex" "fragmaster" "kpsewhere" "latex-git-log" "ltxfileinfo" "mendex" "perltex" "pn2pdf" "psbook" "psnup" "psresize" "purifyeps" - "simpdftex" "tex2xindy" "texluac" "texluajitc" "urlbst" "yplan" ]; + "simpdftex" "tex2xindy" "texluac" "texluajitc" "upmendex" "urlbst" "yplan" ]; shortHelp = [ "adhocfilelist" "authorindex" "bbl2bib" "bibdoiadd" "bibmradd" "biburl2doi" "bibzbladd" "ctanupload" "disdvi" "dvibook" "dviconcat" "getmapdl" "latex2man" "listings-ext.sh" "pygmentex" ]; # (2) binaries that return non-zero exit code even if correctly asked for help |